DETAILED ACTION
 	Claims 1-15 are pending. Claims 1 and 15 are amended. This is in response to Applicant’s amendment filed on April 22, 2021.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
 	Applicant’s arguments with respect to claims 1 and 15 under 103 rejection have been considered but are moot in view of a new ground of rejection necessitated by the amendments to the claims.
	Applicant asserted Rovniaguin’s invalid transaction is not an invalid message is not persuasive. Col. 6, line 55 to Col. 7, line 4 states “…the security module 210 detects and prevents such DOS attacks using such criteria or parameters like Transactions per second (TPS)… the security module 210 monitors the number of invalid transactions which occur within a certain amount of time and compares that number (or ratio with valid transactions) with a threshold value.  If threshold value is exceeded, the security module 210 marks the particular client device 106 and/or requested resource as being suspicious”. Clearly, Rovniaguin sees these transaction messages/second as rogue messages created by DOS attack when comparing to a number of transactions/second as valid if the time threshold value is different.
 	The Double Patenting rejection is withdrawn in view of the amendments.
 	This is a Final Action.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-4 and 8-15 are rejected under 35 U.S.C. 103 as being unpatentable over PG Pub 20150113638 (hereinafter Valasek) in view of US Patent 9282116 (hereinafter Rovniaguin) and further in view of PG Pub 20180302422 (Hereinafter Kishikawa)
 	Regarding claim 1, Valasek discloses a method of detecting attacks on a communication authentication layer of an in-vehicle network, the method comprising: 
 	determining, by at least one network node, at least one attack attempt on the communication authentication layer of the in-vehicle network, wherein the communication authentication layer is adapted to include an authentication code in messages and to authenticate messages based on the authentication code, and wherein the determination is carried out by identifying anomalies in at least one of messages, data and metadata directed to the communication authentication layer (Figs. 2-3, par. [0036]-[0037] disclose a method for detecting threats or attacks of malicious data messages on an automobile network. Valasek is silent on validating each message using the message authentication code (MAC). Kishikawa monitors intrusion detection by inspecting frame reception history and MAC verification results (Fig. 25 and par. [0159]-[0160] disclose  analyzing the frame reception history for information relating to contents and MAC verification results of data frames received from the past until the present. Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Valasek with Kishikawa. One would have done so to improve the intrusion detection in an onboard network system having multiple electronic units (ECUs) that perform communication via a bus, such that an occurrence of an unauthorized state can be detected by monitoring frames transmitted over the bus (Kishikawa, Summary section); and wherein the determination is carried out by: 
 	Valasek further discloses counting, by the at least one network node, the number of valid messages and the number of invalid messages received by the node during a predefined time interval (par. [0027] discloses the rate at which a particular message is seen changes, i.e. a message with CAN ID: 112 is seen 40 times in a second when normally it is seen only two times per second. See also Fig. 5 and par. [0028]-[0035] for transmission frequency of the at least one message compared to a frequency threshold;
 identifying an attack on the communication authentication layer based on at least one of: 
 		the number of valid messages is less than a first threshold (Valasek discloses number of messages received below the frequency threshold is valid);
first threshold) with valid transactions a ratio to a threshold value (second threshold)). Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Valasek and Kishikawa with Rovniaguin to further teach identifying an attack on the communication authentication layer based on at least one of: the number of invalid messages is greater than a second threshold, and 
 relating the of number valid messages to the number of invalid messages to a predefined ratio. One would have done so to effectively distinguish between legitimate requests that are originated by legitimate users and transactions that are originated by attackers (Rovniaguin, Abstract).  	Valasek discloses selecting, by the at least one network node, a response corresponding to the determined attack attempt, said response selected from at least one of: modification of parameter values corresponding to a security protocol; a failsafe response; and rejection of messages identified as anomalies (Valasek, par. [0038] discloses a warning can be generated, the CAN message can be rejected, or the car can be slowed down, shut off, vehicle components can be operated in a certain way, 
 	Regarding claim 2, Valasek discloses wherein the response is selected in accordance with the number of received messages of a predetermined type being greater than a third threshold during the predefined time interval (par. [0027]-[0028] discloses using dynamic pattern matching. In dynamic pattern matching, a baseline of behavior will be established first by constructing a model of normal traffic based on the read messages the rate at which a particular message is seen changes. This suggests the frequency threshold value can be changed over time).  	Regarding claim 3, Valasek discloses comprising identifying a message as an anomaly based on identification, in the message, of a code from a previously received message (par. [0026] discloses the memory 204 stores threat identification data. The memory stores at least one known CAN ID, that is a CAN ID associated with a threat). 	Regarding claim 4, Valasek discloses comprising identifying a message as an anomaly based on identification of a change in a frequency of received messages, wherein the change in frequency exceeds a predefined threshold (see claims 1-2’s rejections. Valasek teaches seeing the message with CAN ID: 112 is seen 40 times in a second is considered abnormal. Hence, 40 could be a predefined threshold or it could be anything over 30 times/sec is anomalous, for example. See also par. [0035] for frequency threshold).

wherein the response is selected in accordance with detection of a deviation from an expected behavior, wherein the deviation is detected based on at least one of: a timing model and a content model (par. [0020 and [0033] discloses using the CAN ID for threat identification data).  	Regarding claims 9-10, Valasek discloses sending a message to at least one node of the network, wherein the sent message comprises at least one of: an indication of a detected security risk and an indication of the selected response wherein the sent message further comprises an indication of the type of the identified anomaly (Valasek monitors all sent messages for threat by inspecting the CAN ID)..  	Regarding claim 11, Valasek discloses selecting predefined normal mode response based on identification of at least one of: a predefined event, a predefined time interval and a predefined command (par. [0024] discloses response can be alerting the driver to the anomaly/attack or performing an action with the vehicle. For example, the driver can be alerted by an audible alert, a message appearing on the instrument cluster, flashing lights, etc. The action performed by the vehicle can be any physical action, for example, applying the brakes and immobilizing the vehicle, killing the engine, disabling all communications on the CAN network, etc.).  	Regarding claim 12, Valasek discloses performing at least one of: logging a message identified as an anomaly, blocking a message identified as an anomaly, and sending a signal on a communication bus to cause network nodes to disregard the message (see claim 13’s rejection). 

	Regarding claim 13, Valasek discloses wherein the response is selected in accordance with detection of a deviation from an expected time value progression in a plurality of secured time messages (see claim 2’s rejection for dynamic pattern matching for teaching the frequency threshold value for normal messages received can change overtime). 
 	Regarding claim 14, the claim is rejected in view of claim 1’s rejection.	
 	Regarding claim 15, Valasek discloses a communication module, coupled to the processor and configured to communicate with external devices (Fig. 1).

 	Claim 5-7 are rejected under 35 U.S.C. 103 as being unpatentable over Valasek in view of Rovniaguin, Kishikawa and further in view of PG Pub 20130263268 (hereinafter Kim) 	Regarding claim 5, Valasek, Rovniaguin and Kishikawa do not expressly disclose determining a confidence level of a message being valid based on a code in the message and based on one or more codes included in one or more previously received messages, wherein if the confidence level is below a confidence level threshold the message is identified as an anomaly. Kim teaches inspecting a message under attack by using the message identification value and a sequential number (Figs. 19, 22 and comprising determining at least one pattern of messages, wherein the response is selected in accordance with determination of a predetermined pattern of messages characterized by at least one of: a sequence of message types and a time interval between messages and wherein the response is selected in accordance with determination of a pattern of messages being different from a predetermined pattern (see claim 5’s rejection. Valasek teaches the CAN ID signifies the type of data to expect and Kim inspects the sequence value). 
	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not 

Inquiry Communication
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRI M TRAN whose telephone number is (571)270-1994.  The examiner can normally be reached on Mon-Fri: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 5712723804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic 

/TRI M TRAN/Primary Examiner, Art Unit 2494